From 57475e5e931b6ef604e8f1ac6f3fc06b8c10567e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 7 Dec 2016 13:36:20 -0800
Subject: [PATCH] priv_app.te: Drop auditallow app_data_file:file execute

This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.

Addresses the following auditallow messages:

avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776
---
 public/priv_app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/priv_app.te b/public/priv_app.te
index 04a6ec79d..9ee347fbb 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -14,7 +14,7 @@ allow priv_app self:process ptrace;
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow priv_app app_data_file:file rx_file_perms;
-auditallow priv_app app_data_file:file { execute execute_no_trans };
+auditallow priv_app app_data_file:file execute_no_trans;
 
 # android.process.media uses /dev/mtp_usb
 allow priv_app mtp_device:chr_file rw_file_perms;
-- 
GitLab